Search

US-12621332-B2 - Static vulnerability analysis techniques

US12621332B2US 12621332 B2US12621332 B2US 12621332B2US-12621332-B2

Abstract

A system and method for static analysis. A method includes accessing a cloud component in order to obtain configurations including sets of instructions used for routing to computing interfaces, wherein the cloud component is used to route requests to a plurality of computing interfaces. Dependencies of the computing interfaces are identified by scanning each of the configurations, where each dependency is a reliance by the computing interface on a service provided by another component in a computing environment and the dependencies are identified by applying dependency identification rules with respect to at least one type of resource implemented in each computing interface. Paths are determined based on the identified dependencies, where each path includes at least one of the computing interfaces through which requests are routed. A vulnerability is detected among the computing interfaces based on the determined paths.

Inventors

  • Aner MORAG
  • Tomer ROIZMAN
  • Dor DANKNER
  • Shay Levi
  • Oz GOLAN
  • Hila ZIGMAN
  • Oren SHPIGEL
  • Netanel MAMAN
  • Yuval Alkalai Tavori

Assignees

  • NONAME GATE LTD.

Dates

Publication Date
20260505
Application Date
20220831

Claims (19)

  1. 1 . A method for static analysis, comprising: accessing a cloud component in order to obtain a plurality of configurations, wherein the cloud component is used to route requests to a plurality of computing interfaces, wherein a computing interface is a shared boundary across which two or more separate components of a computing environment exchange information, and wherein the plurality of configurations includes at least one set of instructions used for routing to at least one of the plurality of computing interfaces; identifying dependencies of the plurality of computing interfaces by scanning each of the plurality of configurations, wherein each dependency is a reliance by the computing interface on a service provided by another component in the computing environment, wherein the dependencies are identified by applying dependency identification rules, wherein the dependency identification rules applied to at least first and second configurations differ depending on a type of resource implemented in the computing interface corresponding to the first or second configuration; determining at least one path based on the identified dependencies, wherein each path includes at least one of the plurality of computing interfaces through which requests are routed; and detecting a vulnerability among the plurality of computing interfaces based on the determined at least one path.
  2. 2 . The method of claim 1 , further comprising: taking a plurality of snapshots of a plurality of disks, each disk hosting a respective computing resource serving one of the plurality of computing interfaces, wherein obtaining the plurality of configurations further includes scanning the plurality of snapshots.
  3. 3 . The method of claim 1 , wherein the vulnerability is determined based further on traffic flows to and from each computing interface, further comprising: correlating between at least one flow involving the computing interface caused by the identified dependencies and traffic of components in the computing environment, wherein the vulnerability is detected based on the correlation.
  4. 4 . The method of claim 1 , further comprising: correlating between at least one flow caused by the identified dependencies and hostile traffic in the computing environment in order to determine whether the hostile traffic is directed to a vulnerable component in the computing environment, wherein the vulnerability is detected based on the correlation.
  5. 5 . The method of claim 1 , wherein the detected vulnerability is a vulnerability caused by a dependency on a known vulnerable service.
  6. 6 . The method of claim 1 , wherein the vulnerability is detected based on at least one vulnerability identified in the instructions of the plurality of configurations.
  7. 7 . The method of claim 1 , further comprising: determining a utilization status of each of the dependencies, wherein each utilization status indicates whether the respective dependency is currently utilized, wherein the vulnerability is detected based further on the determined utilization statuses.
  8. 8 . The method of claim 7 , further comprising: creating a graph of connections among the plurality of computing interfaces based on the identified dependencies, wherein the utilization status of each of the dependencies is determined based further on the graph of connections among the plurality of computing interfaces.
  9. 9 . The method of claim 8 , further comprising: creating a cybersecurity posture of a computing environment in which the cloud component is deployed based on the graph of connections, wherein the created cybersecurity posture is a model of computing interfaces used for communications in or with the computing environment, wherein the computing interfaces used for communications in or with the computing environment include the plurality of computing interfaces to which the cloud component routes requests.
  10. 10 . A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising: accessing a cloud component in order to obtain a plurality of configurations, wherein the cloud component is used to route requests to a plurality of computing interfaces, wherein a computing interface is a shared boundary across which two or more separate components of a computing environment exchange information, and wherein the plurality of configurations includes at least one set of instructions used for routing to at least one of the plurality of computing interfaces; identifying dependencies of the plurality of computing interfaces by scanning each of the plurality of configurations, wherein each dependency is a reliance by the computing interface on a service provided by another component in the computing environment, wherein the dependencies are identified by applying dependency identification rules, wherein the dependency identification rules applied to at least first and second configurations differ depending on a type of resource implemented in the computing interface corresponding to the first or second configuration; determining at least one path based on the identified dependencies, wherein each path includes at least one of the plurality of computing interfaces through which requests are routed; and detecting a vulnerability among the plurality of computing interfaces based on the determined at least one path.
  11. 11 . A system for static analysis, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: access a cloud component in order to obtain a plurality of configurations, wherein the cloud component is used to route requests to a plurality of computing interfaces, wherein a computing interface is a shared boundary across which two or more separate components of a computing environment exchange information, and wherein the plurality of configurations includes at least one set of instructions used for routing to at least one of the plurality of computing interfaces; identify dependencies of the plurality of computing interfaces by scanning each of the plurality of configurations, wherein each dependency is a reliance by the computing interface on a service provided by another component in the computing environment, wherein the dependencies are identified by applying dependency identification rules, wherein the dependency identification rules applied to at least first and second configurations differ depending on a type of resource implemented in the computing interface corresponding to the first or second configuration; determine at least one path based on the identified dependencies, wherein each path includes at least one of the plurality of computing interfaces through which requests are routed; and detect a vulnerability among the plurality of computing interfaces based on the determined at least one path.
  12. 12 . The system of claim 11 , wherein the system is further configured to: take a plurality of snapshots of a plurality of disks, each disk hosting a respective computing resource serving one of the plurality of computing interfaces, wherein obtaining the plurality of configurations further includes scanning the plurality of snapshots.
  13. 13 . The system of claim 11 , wherein the vulnerability is determined based further on traffic flows to and from each computing interface, wherein the system is further configured to: correlate between at least one flow involving the computing interface caused by the identified dependencies and traffic of components in the computing environment, wherein the vulnerability is detected based on the correlation.
  14. 14 . The system of claim 11 , wherein the system is further configured to: correlate between at least one flow caused by the identified dependencies and hostile traffic in the computing environment in order to determine whether the hostile traffic is directed to a vulnerable component in the computing environment, wherein the vulnerability is detected based on the correlation.
  15. 15 . The system of claim 11 , wherein the detected vulnerability is a vulnerability caused by a dependency on a known vulnerable service.
  16. 16 . The system of claim 11 , wherein the vulnerability is detected based on at least one vulnerability identified in the instructions of the plurality of configurations.
  17. 17 . The system of claim 11 , wherein the system is further configured to: determine a utilization status of each of the dependencies, wherein each utilization status indicates whether the respective dependency is currently utilized, wherein the vulnerability is detected based further on the determined utilization statuses.
  18. 18 . The system of claim 17 , wherein the system is further configured to: create a graph of connections among the plurality of computing interfaces based on the identified dependencies, wherein the utilization status of each of the dependencies is determined based further on the graph of connections among the plurality of computing interfaces.
  19. 19 . The system of claim 18 , wherein the system is further configured to: create a cybersecurity posture of a computing environment in which the cloud component is deployed based on the graph of connections, wherein the created cybersecurity posture is a model of computing interfaces used for communications in or with the computing environment, wherein the computing interfaces used for communications in or with the computing environment include the plurality of computing interfaces to which the cloud component routes requests.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation-in-part of U.S. patent application Ser. No. 17/645,165 filed on Dec. 20, 2021, now pending, the contents of which are hereby incorporated by reference. TECHNICAL FIELD The present disclosure relates generally to cybersecurity for computing interfaces, and more specifically to detecting vulnerabilities among computing interfaces via static analysis. BACKGROUND The vast majority of cybersecurity breaches can be traced back to an issue with a computer interface such as an application programming interface (API). API abuses are expected to become the most frequent attack vector in the future, and insecure APIs have been identified as a significant threat to cloud computing. An API is a computing interface. A computing interface is a shared boundary across which two or more separate components of a computer system exchange information. Computing interfaces therefore allow disparate computing components to effectively communicate with each other despite potential differences in communication format, content, and the like. An API defines interactions between software components. In modern computing architectures, the backend acts like a direct proxy for data. As a result, a flawed API can lead to exposure of sensitive data, account takeovers, and even denial of service (DOS) attacks. As a result, securing APIs is a top priority of many computing services providers. Some existing solutions for detecting API abuse have been created. These solutions typically look at communications between a computing architecture and one or more external systems through an API to detect abnormal traffic. These solutions face challenges in adapting to new and constantly evolving threats. Techniques for improving accuracy of abnormality detection and more flexibly adapting to threats are always desirable. It would therefore be advantageous to provide a solution that would overcome the challenges noted above. SUMMARY A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. Certain embodiments disclosed herein include a method for static analysis. The method comprises: accessing a cloud component in order to obtain a plurality of configurations, wherein the cloud component is used to route requests to a plurality of computing interfaces, wherein the plurality of configurations includes at least one set of instructions used for routing to at least one of the plurality of computing interfaces; identifying dependencies of the plurality of computing interfaces by scanning each of the plurality of configurations, wherein each dependency is a reliance by the computing interface on a service provided by another component in a computing environment, wherein the dependencies are identified by applying dependency identification rules with respect to at least one type of resource implemented in each computing interface; determining at least one path based on the identified dependencies, wherein each path includes at least one of the plurality of computing interfaces through which requests are routed; and detecting a vulnerability among the plurality of computing interfaces based on the determined at least one path. Certain embodiments disclosed herein also include a non-transitory computer readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: accessing a cloud component in order to obtain a plurality of configurations, wherein the cloud component is used to route requests to a plurality of computing interfaces, wherein the plurality of configurations includes at least one set of instructions used for routing to at least one of the plurality of computing interfaces; identifying dependencies of the plurality of computing interfaces by scanning each of the plurality of configurations, wherein each dependency is a reliance by the computing interface on a service provided by another component in a computing environment, wherein the dependencies are identified by applying dependency identification rules with respect to at least one type of resource implemented in each computing interface; determining at least one path based on the identified dependencies, wherein each path includes at least one of the plurality of compu